Hi Team,
We have a requriement of triggering an API which which is protect with OAUTH2 Client Creds grant. Here is the flow
The consuming client first retrieves a JWT access token from AS (PingAM) - Working
the consuming client sends request to RS with just received JWT token - Expectation - The RS validates the JWT token (Without introspection api, indeed -taking jwk-uri as input to retrieve the certificate and validate the token) and if the token is valid the resource server returns the requested information. Actual Result - The client receives following error “An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found”.
Kindly note here -
The grant type is client-credentials
After doing some research (Access token header 'kid' missing) , I came to know that I need to add ‘KID’ in token header and KID is automatically added in header if we select signing Algo as RS256 (RS family). I did the necessary configuration still I see same HS256 as ALG value and no KID in header. AM is missing something ? Kindly note that a) I am not getting anything in LOG b) the same configuration is working in client env with some other AS.
I’ll appreciate your help.
Thanks
Kanchan